Slide 1
Slide 1 text
࣮ྫʹֶͿXSS੬ऑੑͷ
ൃݟͱमਖ਼ํ๏
ma.la
Slide 2
Slide 2 text
ςʔϚ
• ͍͔ͭ͘ࠓ·ͰXSSʹؔͯ͠ൃද͖ͯͨ͠(AppSec,AVTokyo, etc)
• ओʹൣͳαΠτʹӨڹ͢ΔϥΠϒϥϦͷ੬ऑੑͳͲΛղઆ
• ࠓճൃݟํ๏ࣄྫʹ͍ͭͯத৺ʹղઆ
• αΠτ։ൃऀଆͰͷରࡦ͕ඞཁͳՕॴ
Slide 3
Slide 3 text
Part0. XSSͬͯԿ
• αʔϏεΛఏڙ͍ͯ͠ΔυϝΠϯ্ͰɺҙͷJavaScriptίʔυ͕࣮ߦ
Ͱ͖Δ੬ऑੑ
• ͦͷυϝΠϯͰදࣔ͞ΕΔใΛ౪Έग़ͨ͠Γɺউखʹߋ৽͢Δ͜ͱ͕
ग़དྷΔ
• डಈత߈ܸ: ඃΛड͚Δͷ߈ܸϦϯΫΛ౿ΜͩϢʔβʔ
Slide 4
Slide 4 text
Part1. How to find XSS
Slide 5
Slide 5 text
ίʔυϨϏϡʔͷϙΠϯτ
• ೖྗՕॴͱධՁ͢ΔՕॴʹ͢Δ
• source ͱ sink ͱݺΕͨΓ͢Δ
Slide 6
Slide 6 text
୯७ͳXSSͷ߹
• αʔόʔଆͷHTML templateͰͷग़ྗՕॴɺධՁՕॴಉ͡
• ग़ྗՕॴͰhtml tagscriptΛදࣔ
• ίʔυΛ͍͚ͬͯେମશ෦ݟ͔ͭΔ
• Ұ෦Λআ͖ɺࣗಈΤεέʔϓͰશ෦Δ
Slide 7
Slide 7 text
୯७Ͱͳ͍XSSͷࣄྫ
• JavaScriptίʔυͷಈతੜ
• URLͷՕॴʹ javascript:xxx
• HTML escapeͰ͛ͳ͍
• DOM based XSSͱݺΕΔͷ
Slide 8
Slide 8 text
DOM based XSSͷ߹
• ೖྗՕॴͱධՁ͢ΔՕॴ͕ҧ͏
• JavaScriptͷίʔυΛΘͳ͍ͱ͔Βͳ͍
• ൃݟ͕͍͠ݪҼ
Slide 9
Slide 9 text
ೖྗՕॴͷྫ
location.* (location.href, location.hash, etc)
document.* (document.URL, document.cookie, etc)
window.name
Slide 10
Slide 10 text
ධՁ͢ΔՕॴͷྫ
ೖྗ͞Εͨύϥϝʔλ͕ग़ྗ͞ΕΔՕॴ
URLͱͯ͠ධՁɺJavaScriptίʔυͱͯ͠ධՁɺHTMLͱͯ͠ධՁ
Slide 11
Slide 11 text
URLͱͯ͠ධՁ
• location.href = , iframe.src =
• ajax, XMLHttpRequest ͰͷಡΈࠐΈ
• etc
Slide 12
Slide 12 text
ίʔυͱͯ͠ධՁ
• ίʔυΛಈతʹੜ͢ΔΑ͏ͳ͍ํ (͋·Γແ͍)
• eval()
• จࣈྻͰͷ setTimeout() setInterval() (͋·ΓΘΕͳ͍)
• Function() (͋·ΓΘΕͳ͍)
• etc
Slide 13
Slide 13 text
HTMLग़ྗ
• innerHTML =
• document.write()
• jQuery() $() $(el).html()
• ֤छςϯϓϨʔτΛͬͨग़ྗ
• etc
Slide 14
Slide 14 text
ίʔυͷྲྀΕΛ͍ͬͯ͘
• ag ͳͲͷίʔυݕࡧπʔϧΛ͏
• ҆શͩͱ֬ೝ͕Ͱ͖ͨॴআ֎͍ͯ͘͠
• ag innerHTML | ag -v "safe"
• ೖྗՕॴɺग़ྗՕॴɺͲͪΒ͔ΒͰո͍͠Օॴݟ͔ͭΔ
Slide 15
Slide 15 text
ݟམͱ͕ͪ͠ͳϙΠϯτ
Slide 16
Slide 16 text
document.cookie / localStorage
• ݕࡧΩʔϫʔυཤྺΛอ࣋͢Δػೳ
• ҙͷΛอଘग़དྷΔ͜ͱ͕͋Δ
• ೖྗ࣌ͱग़ྗ࣌Ͱ͕࣌ؒࠩൃੜ͢Δ͜ͱ͕͋Δ
Slide 17
Slide 17 text
Persistent DOM XSS
• DOM based XSSͷӬଓԽ͕Մೳ
• cookie / localStorageʹ߈ܸ༻ͷίʔυΛอଘ
• දࣔ͢Δͨͼʹ࣮ߦ͞ΕΔΑ͏ͳέʔε
• → ࣗࣾͰͷࣄྫɺࠂωοτϫʔΫͷiframeͰ࣮ྫ͋Γ
Slide 18
Slide 18 text
ಛʹ cookie ͷ߹
• αϒυϝΠϯ͔ΒͰઃఆ͕Մೳ
• vuln.example.com → .example.com
• ੬ऑੑͷ͋ΔαϒυϝΠϯ͔ΒcookieΛset
• ߈ܸରͷυϝΠϯͰ cookie ىҼͷ DOM based XSS
• MITM attackͰcookieͷઃఆ͕Մೳ
Slide 19
Slide 19 text
CookieΛͬͨ߈ܸ (XSS or ServerSide)
• ͦͷαʔϏεͰ৴༻Ͱ͖Δ͔͠ग़ྗ͠ͳ͍߹ͰXSSՄೳ
• MITMͰͷcookieઃఆ → HSTS include subdomainΛΘͳ͍ͱ͛ͳ͍
• JS ͰserverͰ৴པͰ͖ͳ͍͕ೖΔ͜ͱΛલఏʹઃܭ͢Δඞཁ͕͋Δ
• ࡉͨ͠cookieΛͬͨremote code executionͷࣄྫ͍͔ͭ͋͘Γ
Slide 20
Slide 20 text
Part2. मਖ਼ํ๏
Slide 21
Slide 21 text
ग़ྗՕॴʹԠͯ҆͡શʹ͢Δ
• ධՁ͞ΕΔίϯςΩετʹԠͯ͡ରࡦҧ͏
• શͯʹରͯ͠༗ޮͳvalidationescape ruleଘࡏ͠ͳ͍
• յΕͯྑ͍ͳΒҰϑΟϧλ͢ΔΑ͏ͳॲཧ࡞ΕΔ
<> ͕ೖྗ͞Ε͍ͯΔͱແ༻ͰΤϥʔʂ
Slide 22
Slide 22 text
JavaScriptͷมग़ྗ
• ͦͦආ͚Δ
• data-xxx="html escaped value" ͰຒΊࠐΈΛਪ
• ಉ͡escape ruleͰରԠՄೳɺίϯςΩετΛҙࣝ͠ͳ͍͍ͯ͘
• Ͳ͏ͯ͠ඞཁͰ͋Εɺhtml escapeͰͳ͘js escape
Slide 23
Slide 23 text
URLΛग़ྗ͢Δ߹
• javascript: xxx ͕ೖ͍͚ͬͯͳ͍
• ̋ validation ruleΛ࡞ͬͯద༻͢Δ
• HTML Escape / JS escape ͚ͩͰෆे
• URLΛೖग़ྗ͢ΔΑ͏ͳՕॴɺͲͷΈͪvalidation͕͋Δͣ
Slide 24
Slide 24 text
ίʔυΛੜ͢Δ߹
• eval() ͦͦΘͳ͍Α͏ʹ͢Δ
• JSON.parseͷ༻ͱͯ͠ɺͨ·ʹݟΔ
→ ͏͍Βͳ͍ɺpolyfill༻͢ΕΑ͍
Slide 25
Slide 25 text
HTMLΛग़ྗ͢Δ߹
• innerHTMLΛͳΔ͘Θͳ͍(࠷ऴతͳग़ྗ࣌ͷΈ)
• ࣗಈescapeՄೳͳtemplate engine͏ → mustache ͳͲ
• jQuery ͷ html() → ෆཁͰ͋Ε text() ʹஔ͖͑Δ
• html() ͷଟ༻ϨϏϡʔͷෛ୲ʹͳΔ
Slide 26
Slide 26 text
XSSͷݟ͚ͭํͱ͠ํಉ͡
• ag ͳͲͷίʔυݕࡧπʔϧΛ͏
• ҆શͩͱ֬ೝ͕Ͱ͖ͨॴআ֎͍ͯ͘͠
• ag innerHTML | ag -v "safe"
• ೖྗՕॴɺग़ྗՕॴɺͲͪΒ͔ΒͰո͍͠Օॴݟ͔ͭΔ
Slide 27
Slide 27 text
मਖ਼ํ๏ͷϙΠϯτ
• ։ൃऀ͔Βݟͯ҆શ != ϨϏϡΞʔ͔Βݟͯ҆શ
• ։ൃऀةݥ͕ແ͍ύϥϝʔλͱ͍ͬͯͯύοͱݟͰΘ͔Βͳ͍
• ιʔείʔυݕࡧͰɺո͍͠Օॴ͕ݟ͔ͭΒͳ͍ঢ়ଶ
• ϨϏϡʔ͍͢͠ίʔυʹ͢Δ → ࣗͰίʔυݕࡧͯ͠ΈΔͱྑ͍
Slide 28
Slide 28 text
Part3. ൃੜཁҼͷ
• ͲͷλΠϛϯάͰԿʹҙ͢Εྑ͍ͷ͔͔Βͳ͍
• ةݥͳ͜ͱΛ͍ͯ͠Δ͕֮ࣗͳ͍
• ʮԿΛ͠Α͏ͱͯ͠ى͖ͨͷ͔ʯΛओ࣠ʹղઆ
Slide 29
Slide 29 text
ࣄྫ: ݕࡧΩʔϫʔυͷදࣔ
• ϦϑΝϥ͔Βऔಘ
• ݕࡧΫΤϦ͔Βͷऔಘ
• ࠂ࠷దԽ༻ͷύϥϝʔλΩʔϫʔυϋΠϥΠτͰ͍ͬͯͨ
• ऩӹ૿ՃͷͨΊʹ͋ΒΏΔαʔϏεʹXSS͕Ճ͞Ε͍ͯͨ
Slide 30
Slide 30 text
۩ମྫ
var keyword = '[% param.keyword | html %]'; // ͜Ε͕
↓
var keyword = ''; alert(1); ''; // ͜͏ͳΔ
• ͍࣌ͬͯͨςϯϓϨʔτΤϯδϯ͕ɺγϯάϧΫΦʔτΛΤεέʔ
ϓ͠ͳ͔ͬͨ
• ࠓͰ͋·ΓΈͳ͍
• ϦϑΝϥ͔Βऔಘ͢Δͷ → DOM based XSSʹ
Slide 31
Slide 31 text
ϦϑΝϥΛͬͨXSS
• ϦϑΝϥ͔ΒΩʔϫʔυऔಘͯ͠Φεεϝهࣄදࣔ
• ϦϑΝϥʹ ه߸HTMLλά͕ೖΔ͜ͱΛఆ͍ͯ͠ͳ͍
Slide 32
Slide 32 text
ֶͼ
• ϓϥεΞϧϑΝͷػೳͰXSS͕ى͖͍ͯΔ
• αʔϏεͷຊମͷػೳ͡Όͳ͍෦Ͱ͍ͭͷؒʹ͔XSS͕ग़དྷͯΔ
• ։ൃऴΘͬͯΔΜ͚ͩͲɺ༉அͯ͠Δͱ͜ΖͰɻɻ
• ιʔγϟϧϘλϯՃ → ݱࡏͷURLΛdocument.writeͰग़ྗɺ
Slide 33
Slide 33 text
ࣄྫ: HTML EntityͷղऍΛ͍ͨ͠
• $(el).text() Λͬͯද͍ࣔͯͨ͠Β HTML࣮ମࢀরɺࢀরจࣈ͕ද
ࣔ͞Εͳ͘ͳͬͨ
• ͜͏͍͏ͷͶ B'z → B'z
• → $(el).html() ʹมߋɺࣗಈΤεέʔϓ֎͢ॲཧΛೖΕͯ͠·͏
• Ϣʔβʔೖྗ͕ೖΒͳ͍͔Ͳ͏͔֬ೝ͕ඞཁ
• ҆શͳೖྗՕॴͰ͋ͬͯϨϏϡʔ͕େมʹͳΔ
Slide 34
Slide 34 text
Ͳ͏͢Εྑ͍ʁ
• HTML entityͷղऍͷͨΊʹɺhtml() ΛΘͳ͍ɻ
• html() Λ͏ͱɺ͋ΔಥવةݥʹͳΔ
• ඞཁͳॲཧhtmlग़ྗͰͳ͘ɺdecode html entities
• textarea hack $("").html(value).text()
Slide 35
Slide 35 text
ࣅͨࣄྫ: escapeํࣜͷมߋ
• αʔόʔαΠυͰΤεέʔϓɺjsͰͷग़ྗͰΤεέʔϓ
• ೋॏescapeʹͳͬͯ͠·ͬͨʂ & " ͳͲ͕ը໘ʹදࣔ͞Ε
Δ
• html escape → js escape ͷมߋ
• ͜Εࣗମਖ਼͍͕͠ɺຊʹେৎʁ
Slide 36
Slide 36 text
escapeํࣜมߋʹ͏
• A: ̋ js escapeͰมຒΊࠐΈ → js templateͰauto escapeͰදࣔ
• B: ˚ html escapeͰมຒΊࠐΈ → js templateͰauto escapeͰදࣔ →
ೋॏescape
• C: ☓ js escapeͰมຒΊࠐΈ → innerHTML $() html() Ͱग़ྗՕॴ͕͋Δ
Slide 37
Slide 37 text
Կ͕͔ʁ
• ೋॏΤεέʔϓόά͚ͩͲ XSS ੬ऑੑ
• B → C ʹѱԽ͢ΔՄೳੑ͕͋Δ (όάΛͯ͠੬ऑੑ͕ൃݱ)
• पลՕॴͷϨϏϡʔηοτͰߦΘͳ͍ͱμϝ
Slide 38
Slide 38 text
ֶͼ
• ද͕ࣔόάͬͯ·͢ → ҰൠϢʔβʔQA͔Βͷใࠂ
• ରॲྍ๏తʹ͢ɺ͔ͬͯΔਓ͕ϨϏϡʔ͠ͳ͍··ద༻
• ೋॏΤεέʔϓόά͕XSSͱͯ͠ѱԽͯ͠͠·͏
• ͨ͠ຊਓόάΛͨͭ͠Γ
Slide 39
Slide 39 text
ࣄྫ: ίϝϯτΞτ
ׂͱ͍͠λΠϓ
Slide 40
Slide 40 text
JavaScriptதͷมग़ྗՕॴͷίϝϯτΞτ
• /* */ Λ͏έʔε
• */ ΛೖΕΔ͜ͱͰίϝϯτΛڧ੍ऴྃ͢Δ
/* var keyword = '[% keyword %]' */
↓
/* var keyword = '*/ alert(1) /*' */
Slide 41
Slide 41 text
// Λ͏έʔε
• վߦͰಥഁՄೳ
// var keyword = '
alert(1)//‘
• U+2028 / U+2029 ͰಥഁՄೳ
• վߦΛϑΟϧλͳΜͯத్ͳ͜ͱ͠ͳ͍Α͏ʹɻ
Slide 42
Slide 42 text
ίϝϯτΞτ
• jsͷಈతੜɺมຒΊࠐΈΛΊΔɺͱ͍͏ݪଇͰରԠՄೳ
• มग़ྗՕॴͷจ຺Λҙࣝ͢Δ͜ͱͰ͙ → ͍͠
• JavaScriptத͔ͩΒjs escape!! ͱ͍͏ܒ͕ग़དྷ͍ͯͯൃੜ͢Δ
• ͦͦίϝϯτΞτ͠ͳ͍Ͱؙ͝ͱফ͢ɺgitʹϩάΔ
Slide 43
Slide 43 text
ࣄྫ: ίϯςϯπͷಈతͳϩʔυ
• HTMLஅยΛදࣔ͢ΔΑ͏ͳέʔε
• Single page appͷྲྀߦͰଟ͘ͳͬͨ → router͕ͪΌΜͱॻ͔Ε͍ͯ
Ε੬ऑੑগͳ͍
• ͪΐͬͱલʹ࡞ΒΕͨΑ͏ͳαΠτɺlocation.hash ͔Βऔಘ
• ΞχϝެࣜαΠτϥϯσΟϯάϖʔδͳͲͰΑ͘ݟΔ
Slide 44
Slide 44 text
HTMLஅยϩʔυͷ
• ಉҰυϝΠϯʹ੍ݶ͍ͯͯ҆͠શͰͳ͍έʔε͕͋Δ
• ಉҰυϝΠϯʹΦʔϓϯϦμΠϨΫλ
• ಉҰυϝΠϯͰ <> ΛؚΉίϯςϯπΛಈతੜՄೳ(JSONP API)
• ඞཁͳ͜ͱ → ఆͨ͠path͔Ͳ͏͔ͷݫ֨ͳνΣοΫ
Slide 45
Slide 45 text
ϥΠϒϥϦͰͷ
• ಉҰυϝΠϯͷίϯςϯπ҆શͰ͋Δɺͱ͍͏ࢥ͍ࠐΈ
• jQuery mobile → ϋογϡࢦఆͰಉҰυϝΠϯϩʔυ
• Rails ͷ turbolinks → ϦϯΫઌΛAjaxͰಡΈࠐΜͰߴԽ
• ύονॻ͍ͨΓͨ͠ (ಈతϩʔυΛߦͳ͏content-typeͷ੍ݶ)
Slide 46
Slide 46 text
·ͱΊ
• XSS͍ͯ͘͜͠͠
• ҆શʹ͢ΔͨΊͷγϯϓϧͳݪଇ͋Δ
• ಈతͳίʔυੜΛආ͚ΔɺࣗಈΤεέʔϓΛ͏
• + ݪଇΛ֎Εͨ࣌ʹةݥͩͱ͢Δηϯε͕ඞཁ